1

The virtual machine instance is up and running and can get the serial port login: prompt, but cannot connect via ssh. What would google's reasoning be for this behavior?

The VM instance does NOT have an external IP address by design.

My google cloud shell instance does not have a 10.240.0.0/16 IP address that my VM instance has, so i assume that is why i cannot ssh via cloud shell. Why would an instance need internet access from within the webbrowser based Cloud Shell?
ERROR: (gcloud.beta.compute.ssh) Instance [instance-centos7] in zone [us-zone-somewhere] does not have an external IP address, so you cannot SSH into it. To add an external IP address to the in stance, use [gcloud compute instances add-access-config].

Have restarted the Cloud Shell instance in the hopes it would be rebuilt with the correct ip addresses.

Project wide ssh keys are NOT blocked.

In the web browser, all SSH options are disabled and greyed out.

I can tail the serial port output to verify it stops and starts but not interact with it because i did not set a password.

Over the years, i have had several virtual instances that did not have a public IP address, but was able to connect fine in order to secure the machine before allowing access from the internet.

Based on the 10.240.0.0/16 ip subnet, it appears i have a legacy network.

Wanted a virtual machine host base machine that does not have direct access to the internet but which LXC containers would get a public IP.

Improve this question
8
  • From the menu you can choose NETWORKING > VPC network > VPC networks to see if you are using a legacy network or not. Look in the Mode column.
    – kasperd
    Commented Nov 26, 2017 at 20:50
  • I am not sure it makes a difference whether you are using a legacy network or not. As far as I can tell the Cloud Shell VM is not running inside of your virtual network but rather just has the credentials needed to access the project through gcloud commands. So gcloud ssh commands should work just as if you ran it on the machine where you normally run gcloud. That doesn't give you access to ssh to machines without a public IP though. I think the recommended approach if you want to do that is either a bastion VM with a public IP or a VPN.
    – kasperd
    Commented Nov 26, 2017 at 21:11
  • Confirmed it has a legacy network.
    – rjt
    Commented Nov 26, 2017 at 21:41
  • After clicking Edit, the check the box to enable serial port access went from unchecked && disabled to unchecked && enabled. Was able to check the box and get a serial port logon prompt. Of course, i do not think i set a password yet, so not helping so much.
    – rjt
    Commented Nov 26, 2017 at 21:49
  • @kasperd Why would an instance need internet access from within the webbrowser based Cloud Shell? ERROR: (gcloud.beta.compute.ssh) Instance [instance-centos7] in zone [us-zone-somewhere] does not have an external IP address, so you cannot SSH into it. To add an external IP address to the in stance, use [gcloud compute instances add-access-config].
    – rjt
    Commented Nov 26, 2017 at 21:56

1 Answer 1

Reset to default
1

Cloud Shell provides a limited shell for interactive use only as per the following documentation.

A Google Cloud Shell SSH connection allows users to connect to Google Compute Engine Virtual Machines from within the Google Cloud Platform Console. It differs from SSH connections made from Compute Engine VM instances because they are made from inside another VPC network and can be behind a firewall that if not set correctly can block connections.

Google Compute Engine Instances can be created with or without an external IP address. Creating an instance without an external IP address offers high level security since the instance cannot be directly accessed from the outside. We can still connect to the instance internal ip address from the public but only via other methods that have access to the internal IP address of the instance. These methods include ‘connecting through a VPN connection that has access to the internal IP address’ or through a ‘Bastion Host’ instance as per the following documentation.

Ensure that the ‘Block project-wide SSH keys’ option is not enabled when you create the VM instance or the instance will ignore project-wide SSH keys as per the documentation

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .